Merge pull request #9690 from MrPetovan/bug/9672-empty-acl-public

Append author's contact id to allowed contacts to prevent empty ACL for private items
This commit is contained in:
Michael Vogel 2020-12-21 10:35:37 +01:00 committed by GitHub
commit 190c41e64f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 54 additions and 46 deletions

View file

@ -163,31 +163,39 @@ function events_post(App $a)
if ($share) { if ($share) {
$str_contact_allow = '';
$str_group_allow = '';
$str_contact_deny = '';
$str_group_deny = '';
if (($_REQUEST['visibility'] ?? '') !== 'public') {
$user = User::getById($uid, ['allow_cid', 'allow_gid', 'deny_cid', 'deny_gid']);
if (!DBA::isResult($user)) {
return;
}
$aclFormatter = DI::aclFormatter(); $aclFormatter = DI::aclFormatter();
$str_contact_allow = isset($_REQUEST['contact_allow']) ? $aclFormatter->toString($_REQUEST['contact_allow']) : $user['allow_cid'] ?? '';
$str_group_allow = isset($_REQUEST['group_allow']) ? $aclFormatter->toString($_REQUEST['group_allow']) : $user['allow_gid'] ?? '';
$str_contact_deny = isset($_REQUEST['contact_deny']) ? $aclFormatter->toString($_REQUEST['contact_deny']) : $user['deny_cid'] ?? '';
$str_group_deny = isset($_REQUEST['group_deny']) ? $aclFormatter->toString($_REQUEST['group_deny']) : $user['deny_gid'] ?? '';
$str_group_allow = $aclFormatter->toString($_POST['group_allow'] ?? ''); // Since we know from the visibility parameter it should be private, we have to prevent the empty ACL case
$str_contact_allow = $aclFormatter->toString($_POST['contact_allow'] ?? ''); // that would make the item public. So we always append the author's contact id to the allowed contacts.
$str_group_deny = $aclFormatter->toString($_POST['group_deny'] ?? ''); // See https://github.com/friendica/friendica/issues/9672
$str_contact_deny = $aclFormatter->toString($_POST['contact_deny'] ?? ''); $str_contact_allow .= $aclFormatter->toString(\Friendica\Model\Contact::getPublicIdByUserId($uid));
// Undo the pseudo-contact of self, since there are real contacts now
if (strpos($str_contact_allow, '<' . $self . '>') !== false) {
$str_contact_allow = str_replace('<' . $self . '>', '', $str_contact_allow);
} }
} else {
$str_contact_allow = '<' . $self . '>';
$str_group_allow = $str_contact_deny = $str_group_deny = '';
}
// Make sure to set the `private` field as true. This is necessary to // Make sure to set the `private` field as true. This is necessary to
// have the posts show up correctly in Diaspora if an event is created // have the posts show up correctly in Diaspora if an event is created
// as visible only to self at first, but then edited to display to others. // as visible only to self at first, but then edited to display to others.
if (strlen($str_group_allow) || strlen($str_contact_allow) || strlen($str_group_deny) || strlen($str_contact_deny)) { if (strlen($str_group_allow) || strlen($str_contact_allow) || strlen($str_group_deny) || strlen($str_contact_deny)) {
$private_event = true; $private_event = true;
} }
} else {
// Note: do not set `private` field for self-only events. It will
// keep even you from seeing them!
$str_contact_allow = '<' . $self . '>';
$str_group_allow = $str_contact_deny = $str_group_deny = '';
}
$datarray = []; $datarray = [];
$datarray['start'] = $start; $datarray['start'] = $start;

View file

@ -50,6 +50,7 @@ use Friendica\Model\Notify\Type;
use Friendica\Model\Photo; use Friendica\Model\Photo;
use Friendica\Model\Post; use Friendica\Model\Post;
use Friendica\Model\Tag; use Friendica\Model\Tag;
use Friendica\Model\User;
use Friendica\Network\HTTPException; use Friendica\Network\HTTPException;
use Friendica\Object\EMail\ItemCCEMail; use Friendica\Object\EMail\ItemCCEMail;
use Friendica\Protocol\Activity; use Friendica\Protocol\Activity;
@ -195,8 +196,7 @@ function item_post(App $a) {
$orig_post = Item::selectFirst(Item::ITEM_FIELDLIST, ['id' => $post_id]); $orig_post = Item::selectFirst(Item::ITEM_FIELDLIST, ['id' => $post_id]);
} }
$user = DBA::selectFirst('user', [], ['uid' => $profile_uid]); $user = User::getById($profile_uid, ['allow_cid', 'allow_gid', 'deny_cid', 'deny_gid']);
if (!DBA::isResult($user) && !$toplevel_item_id) { if (!DBA::isResult($user) && !$toplevel_item_id) {
return 0; return 0;
} }
@ -272,6 +272,11 @@ function item_post(App $a) {
$str_group_allow = isset($_REQUEST['group_allow']) ? $aclFormatter->toString($_REQUEST['group_allow']) : $user['allow_gid'] ?? ''; $str_group_allow = isset($_REQUEST['group_allow']) ? $aclFormatter->toString($_REQUEST['group_allow']) : $user['allow_gid'] ?? '';
$str_contact_deny = isset($_REQUEST['contact_deny']) ? $aclFormatter->toString($_REQUEST['contact_deny']) : $user['deny_cid'] ?? ''; $str_contact_deny = isset($_REQUEST['contact_deny']) ? $aclFormatter->toString($_REQUEST['contact_deny']) : $user['deny_cid'] ?? '';
$str_group_deny = isset($_REQUEST['group_deny']) ? $aclFormatter->toString($_REQUEST['group_deny']) : $user['deny_gid'] ?? ''; $str_group_deny = isset($_REQUEST['group_deny']) ? $aclFormatter->toString($_REQUEST['group_deny']) : $user['deny_gid'] ?? '';
// Since we know from the visibility parameter it should be private, we have to prevent the empty ACL case
// that would make the item public. So we always append the author's contact id to the allowed contacts.
// See https://github.com/friendica/friendica/issues/9672
$str_contact_allow .= $aclFormatter->toString(Contact::getPublicIdByUserId($uid));
} }
$title = trim($_REQUEST['title'] ?? ''); $title = trim($_REQUEST['title'] ?? '');
@ -750,7 +755,7 @@ function item_post(App $a) {
'type' => Type::COMMENT, 'type' => Type::COMMENT,
'otype' => Notify\ObjectType::ITEM, 'otype' => Notify\ObjectType::ITEM,
'verb' => Activity::POST, 'verb' => Activity::POST,
'uid' => $user['uid'], 'uid' => $profile_uid,
'cid' => $datarray['author-id'], 'cid' => $datarray['author-id'],
'item' => $datarray, 'item' => $datarray,
'link' => DI::baseUrl() . '/display/' . urlencode($datarray['guid']), 'link' => DI::baseUrl() . '/display/' . urlencode($datarray['guid']),
@ -760,7 +765,7 @@ function item_post(App $a) {
'type' => Type::WALL, 'type' => Type::WALL,
'otype' => Notify\ObjectType::ITEM, 'otype' => Notify\ObjectType::ITEM,
'verb' => Activity::POST, 'verb' => Activity::POST,
'uid' => $user['uid'], 'uid' => $profile_uid,
'cid' => $datarray['author-id'], 'cid' => $datarray['author-id'],
'item' => $datarray, 'item' => $datarray,
'link' => DI::baseUrl() . '/display/' . urlencode($datarray['guid']), 'link' => DI::baseUrl() . '/display/' . urlencode($datarray['guid']),

View file

@ -155,10 +155,6 @@ function photos_init(App $a) {
function photos_post(App $a) function photos_post(App $a)
{ {
Logger::log('mod-photos: photos_post: begin' , Logger::DEBUG);
Logger::log('mod_photos: REQUEST ' . print_r($_REQUEST, true), Logger::DATA);
Logger::log('mod_photos: FILES ' . print_r($_FILES, true), Logger::DATA);
$phototypes = Images::supportedTypes(); $phototypes = Images::supportedTypes();
$can_post = false; $can_post = false;
@ -184,10 +180,28 @@ function photos_post(App $a)
if (!$owner_record) { if (!$owner_record) {
notice(DI::l10n()->t('Contact information unavailable')); notice(DI::l10n()->t('Contact information unavailable'));
Logger::log('photos_post: unable to locate contact record for page owner. uid=' . $page_owner_uid); DI::logger()->info('photos_post: unable to locate contact record for page owner. uid=' . $page_owner_uid);
exit(); exit();
} }
$str_contact_allow = '';
$str_group_allow = '';
$str_contact_deny = '';
$str_group_deny = '';
if (($_REQUEST['visibility'] ?? '') !== 'public') {
$aclFormatter = DI::aclFormatter();
$str_contact_allow = isset($_REQUEST['contact_allow']) ? $aclFormatter->toString($_REQUEST['contact_allow']) : $owner_record['allow_cid'] ?? '';
$str_group_allow = isset($_REQUEST['group_allow']) ? $aclFormatter->toString($_REQUEST['group_allow']) : $owner_record['allow_gid'] ?? '';
$str_contact_deny = isset($_REQUEST['contact_deny']) ? $aclFormatter->toString($_REQUEST['contact_deny']) : $owner_record['deny_cid'] ?? '';
$str_group_deny = isset($_REQUEST['group_deny']) ? $aclFormatter->toString($_REQUEST['group_deny']) : $owner_record['deny_gid'] ?? '';
// Since we know from the visibility parameter it should be private, we have to prevent the empty ACL case
// that would make the item public. So we always append the author's contact id to the allowed contacts.
// See https://github.com/friendica/friendica/issues/9672
$str_contact_allow .= $aclFormatter->toString(\Friendica\Model\Contact::getPublicIdByUserId($page_owner_uid));
}
if ($a->argc > 3 && $a->argv[2] === 'album') { if ($a->argc > 3 && $a->argv[2] === 'album') {
if (!Strings::isHex($a->argv[3])) { if (!Strings::isHex($a->argv[3])) {
DI::baseUrl()->redirect('photos/' . $a->data['user']['nickname'] . '/album'); DI::baseUrl()->redirect('photos/' . $a->data['user']['nickname'] . '/album');
@ -313,13 +327,6 @@ function photos_post(App $a)
$albname = !empty($_POST['albname']) ? trim($_POST['albname']) : ''; $albname = !empty($_POST['albname']) ? trim($_POST['albname']) : '';
$origaname = !empty($_POST['origaname']) ? Strings::escapeTags(trim($_POST['origaname'])) : ''; $origaname = !empty($_POST['origaname']) ? Strings::escapeTags(trim($_POST['origaname'])) : '';
$aclFormatter = DI::aclFormatter();
$str_group_allow = !empty($_POST['group_allow']) ? $aclFormatter->toString($_POST['group_allow']) : '';
$str_contact_allow = !empty($_POST['contact_allow']) ? $aclFormatter->toString($_POST['contact_allow']) : '';
$str_group_deny = !empty($_POST['group_deny']) ? $aclFormatter->toString($_POST['group_deny']) : '';
$str_contact_deny = !empty($_POST['contact_deny']) ? $aclFormatter->toString($_POST['contact_deny']) : '';
$resource_id = $a->argv[3]; $resource_id = $a->argv[3];
if (!strlen($albname)) { if (!strlen($albname)) {
@ -639,18 +646,6 @@ function photos_post(App $a)
$visible = 0; $visible = 0;
} }
$group_allow = $_REQUEST['group_allow'] ?? [];
$contact_allow = $_REQUEST['contact_allow'] ?? [];
$group_deny = $_REQUEST['group_deny'] ?? [];
$contact_deny = $_REQUEST['contact_deny'] ?? [];
$aclFormatter = DI::aclFormatter();
$str_group_allow = $aclFormatter->toString(is_array($group_allow) ? $group_allow : explode(',', $group_allow));
$str_contact_allow = $aclFormatter->toString(is_array($contact_allow) ? $contact_allow : explode(',', $contact_allow));
$str_group_deny = $aclFormatter->toString(is_array($group_deny) ? $group_deny : explode(',', $group_deny));
$str_contact_deny = $aclFormatter->toString(is_array($contact_deny) ? $contact_deny : explode(',', $contact_deny));
$ret = ['src' => '', 'filename' => '', 'filesize' => 0, 'type' => '']; $ret = ['src' => '', 'filename' => '', 'filesize' => 0, 'type' => ''];
Hook::callAll('photo_post_file', $ret); Hook::callAll('photo_post_file', $ret);

View file

@ -82,7 +82,7 @@ class Verify extends BaseModule
'$errors_label' => DI::l10n()->tt('Error', 'Errors', count(self::$errors)), '$errors_label' => DI::l10n()->tt('Error', 'Errors', count(self::$errors)),
'$errors' => self::$errors, '$errors' => self::$errors,
'$recovery_message' => DI::l10n()->t('Dont have your phone? <a href="%s">Enter a two-factor recovery code</a>', '2fa/recovery'), '$recovery_message' => DI::l10n()->t('Dont have your phone? <a href="%s">Enter a two-factor recovery code</a>', '2fa/recovery'),
'$verify_code' => ['verify_code', DI::l10n()->t('Please enter a code from your authentication app'), '', '', DI::l10n()->t('Required'), 'autofocus placeholder="000000"', 'tel'], '$verify_code' => ['verify_code', DI::l10n()->t('Please enter a code from your authentication app'), '', '', DI::l10n()->t('Required'), 'autofocus autocomplete="off" placeholder="000000"', 'tel'],
'$verify_label' => DI::l10n()->t('Verify code and complete login'), '$verify_label' => DI::l10n()->t('Verify code and complete login'),
]); ]);
} }

View file

@ -138,7 +138,7 @@ class Verify extends BaseSettings
'$holder' => $holder, '$holder' => $holder,
'$secret' => $secret, '$secret' => $secret,
'$verify_code' => ['verify_code', DI::l10n()->t('Please enter a code from your authentication app'), '', '', DI::l10n()->t('Required'), 'autofocus placeholder="000000"'], '$verify_code' => ['verify_code', DI::l10n()->t('Please enter a code from your authentication app'), '', '', DI::l10n()->t('Required'), 'autofocus autocomplete="off" placeholder="000000"'],
'$verify_label' => DI::l10n()->t('Verify code and enable two-factor authentication'), '$verify_label' => DI::l10n()->t('Verify code and enable two-factor authentication'),
]); ]);
} }